A Healthcare CIO’s Guide to HIPAA Compliance in Co-working Spaces

COVID-19 has caused a rethinking in how companies view office space and corporate real estate.  In the case of healthcare, one of the lines of thought has been as to whether or not team members not directly involved in patient care or support need to be located at facilities where it takes place.  Another thought has been around leased space.  Do organizations really need as much now that many team members work from home?  What about the additional cleaning and maintenance costs to maintain your own properties?  This all translates into an immediate future where co-working spaces provide an economic alternative to organizations that wish to have some degree of office space without paying the overhead costs to maintain it.

Normally sales or staffing organizations have opted for this type of arrangement.  However, enterprise clients have been utilizing these spaces.  According to the Denver Business Journal of August 27, 2020, over 50% of WeWork’s core revenue in the second quarter of 2020 came from them.  These include large corporations such as Microsoft and Salesforce.

When you look at the cost of a new hospital, it’s incredibly expensive.  The proposed replacement for IU Health Methodist and University Hospitals is forecast to cost $1.6 billion dollars and have 576 beds.  That is $2.78 million per bed.  That adds pressure for leadership to use that space as efficiently as possible.  Joint Commission and regulatory/code requirements for use of it also effectively preclude its use for anything else other than that as you have to build anticipating patient care usage due to code compliance.  Healthcare is a business, and it does not make good economic sense to have non-patient care use of space that has been built to a higher code than office space

With the additional costs for leased space or owned corporate offices, coworking spaces now look very attractive.  The use of coworking space for non-patient care functions such as business services makes economic sense compared to the alternatives.  Security is a major consideration given this new possibility and the risks it entails.

This guide is designed for CIOs and other executives that will be supporting coworking spaces for non-core functions.  We will cover office space, PCs and laptops, wired networking, wireless networking, printing, PCI-DSS compliance, and phone support.  Our goal is to give you a checklist that will empower you to use these spaces and stay compliant.

  • Office Space. HIPAA still applies, and you’re still a covered entity.  Get private offices for your team members that will be working at co-working locations and make sure that they can lock the doors and have keys or badge tap access.  This costs more than the desks on the outside.  However, you still need to make sure you maintain reasonable and appropriate privacy.  Don’t store paper documents with PHI or PII here unless they are stored under lock and key that you control.
  • PCs and Laptops. Don’t Bring Your Own Device (BYOD) to a coworking space.  You will need to use Virtual Private Networking (VPN) to connect back to the corporate office and secure network connectivity.  You want to make sure that only devices that you can control can directly connect to your business networks.  This means that while BYOD may be great for home workers, it’s best to treat a coworking space like an extension of the office because of the direct network connectivity you need to have.
  • Wired Networking. If you can get a wired network jack, this is the best option to get.  Get a Cisco ASA or Juniper VPN router/network switch and use that to establish a VPN connection back to your corporate datacenter.  This will allow you to plug in phones, credit card processing devices, printers, and computers without having to involve the corporate IT staff from the coworking space any more than necessary.  It will also allow you to scan, monitor, and maintain these devices as if they were on your main corporate network.
  • Wireless Networking. If you want to use wireless networking, use their network for basic connectivity, and only use a VPN to connect back to your corporate network or Internet access.  You don’t know their security well, and don’t assume that they do either.  Security is not their core business.  Do not use printers, credit card devices, or IP phones with their wireless networking.  This is because getting these devices to work with their corporate network will be a configuration nightmare.  Spend the extra money and get a VPN router/switch instead for those on a wired connection.
  • Do not use their printers.  You will not get them to work the way you want.  You may also have to pay per page.  Use your own corporate supplied printers that have been configured and tested to work with your applications.  Plug them into your own VPN router/switch and have them managed by your print servers.  Do not configure them for wireless.  Make sure these devices do not have their own persistent storage, and if they do, that it’s encrypted.  They will also need their own unlock feature that allows either a PIN or badge tap to release print jobs.  You don’t want just anyone walking up and taking your printouts, especially if they have PHI!
  • PCI-DSS Compliance. You will need supported and certified Point-to-Point Encryption (P2PE) devices if you choose to take credit cards.  We recommend using the ones with LTE connections so you don’t connect to any network.  However if you have to connect, use a certified P2PE device that plugs into a secure VPN router that goes back to your corporate network.  Make sure these all sit in a good private space.
  • Phone Support. If you have corporate phones, either use a softphone on a secured Virtual Desktop on a VPN-connected laptop, or an IP phone that connects via the VPN router back to your corporate network.  If you have to take credit cards over the phone, you need to do so securely, and a cell phone or smartphone doesn’t cut it.  Using a softphone or IP phone over VPN allows you to use solutions like Semafone to protect credit card information without putting the coworking space’s network in scope for PCI-DSS.

With the budget challenges coming due to COVID costs, CIOs and real estate will be asked to be creative to save money and be more efficient with usage.  This is a way we can be while preserving security of the data our patients and customers entrust us to be good stewards of.  Healthcare is about being good stewards of both data and finances.  Following the steps above allows us to do both and save by using coworking spaces instead of full leases.

About the author

Mitch Parker, CISO

Mitchell Parker, MBA, CISSP, is the CISO, at IU Health. Mitch has eleven years’ experience in this role, having established effective organization-wide programs at multiple organizations. He is responsible for providing policy and governance oversight and research, third-party vendor guidance, proactive vulnerability research and threat modeling services, payment card and financial systems security, and security research to IU Health and IU School of Medicine. In this role, Mitch collaborates across the organization and with multiple third parties to improve the people, processes, and technologies used to facilitate security and privacy for the benefit of IU Health’s patients and team members.

   

Categories